In a well designed system, the data sent is different every single time and based on secret data the card doesn’t externally expose.

Eg, reader tells the card: “Here’s a number: 23475325”. And the card answers back: “Here’s my answer: 987323472”.

There’s some internal algorithm and secret that’s known both by the reader and the card. The reader uses a different random number every time, so just listening to the conversation doesn’t let you clone the card.

You can. And when the “tap” technology in debit and credit cards was still a novel concept, it was relatively common. That’s why so many wallets and purses these days boast RFID blocking technology.

Transit cards are likely not high value targets, though, as they’re typically relatively anonymous and their balance has no cash value (ie you can’t take them anywhere and convert them back to money).

Secure cards don’t send out a constant code; they’re sent a challenge code and they transform that using a secret on the card before sending it back. Listening in doesn’t tell you the secret and, unless you’re sent the same challenge, you don’t know the correct response.

First off, the cards don’t transmit a signal in the way your question implied. They interact with a signal being transmitted from the card reader. So, in order to “clone” this, you’d need a copy of the chip on the card, AND a copy of the signal being sent from the reader, AND the challenge/response of that signal, and…

Basically, it could be done, but it pretty much requires direct interaction with both devices. That’s why physical card skimmers on things like gas pumps are a thing. They provide that direct interaction so they can record all the parts of the transaction and *hopefully* reproduce them elsewhere (they are not 100% effective, thankfully)

You need to have the correct combination to send an energy pulse to the magnet inside the individual card that carries has an identity like it’s own fingerprint which then is stored within whatever device is sending the specific information gained to a “storage center” of sorts. Some devices are more easily updated to create different caches of data remotely and some need hands on manipulation (like changing values on a piece of equipment/card think, hard/software) every piece of electronic gadgetry follows that basic process and the only difference is the actual number of pieces with individual hard/software and memory.

You can clone the signal, but that wont be enough.

Your error is that you believe there is a “add money on the card signal” when you add money to your account.

There is a lot more than that, along with various identifiers that will make sure the transaction, if any, is unique, and both the emitter and receiver are the ones that are supposed to be.

It is a radio system with authentication, just like a phone and a sim card.

Contactless cards use radio frequency identification (RFID) technology. This means that the card transmits a signal that can be read by an RFID reader. However, the signal from a contactless card cannot be cloned because it is encrypted.

Using Apple Pay as an example, it sends a security code derived from your device ID that can’t be reused. A replay attempt will be using an old, invalid security code and be rejected.

The card is an RFID device. When you take it near a reader, it is the radio waves coming from the reader that are used to power a tiny microchip on the card that is capable of receiving data, doing calculations and sending a reply to the reader.

To make a payment, you have three parties working together: the card, the POS terminal (Point of Sale or Piece of Shit depending on whether it decides to not work that day) aka the card reader and the bank’s (or credit card company’s) computer.

When a POS terminal is registered, it is given a cryptographic certificate to act as its little ID card from the bank. When starting up, it uses this to identify itself to the bank and be allowed to initiate payment requests.

Your card has a similar little ID key in it – it is known to nobody other than it. The bank has a pair of this key – another key that has the unique property that if it is used to encrypt something, only the other half of the pair can decrypt it out of all possible keys.

When a payment is initiated, the POS terminal does its own little authentication dance to the bank and when it is done, it’s your card’s turn. The bank chooses a secret message and encrypts it with the pair of the card key it has. The encrypted message is sent to the POS terminal (which can’t read it because it has neither key much less the super secret one on the card) and the terminal sends it to the card.

The card takes its own super secret key and attempts to decrypt the message. The result is sent back to the bank through the POS terminal. The bank checks the reply and if it is the same message it started with, then it can be sure that your card was the one to decrypt it and the transaction can go through.

The implications of this is such: if the challenge message is 1024 bits long, were you sneaking around and listening to the card talking to the POS terminal, you’d need to listen to circa 2808895523222368605827039360607851146278089029597354019897345018089573059460952548948569958162617750330001779372990521213418590137725259726450741103741783193402623334763523207442222181269470220616454421126328215138096104411600982523029892352200425580677351729446660909999175717788745567263052442650378502144 valid transactions *from that specific card* to have a ~1.56% chance of getting a challenge key you’ve already seen and know the answer to (and you probably get only one chance before the bank locks touch payment for that card). [That number is not button mashing.](https://www.wolframalpha.com/input?i=2%5E1024+%2F+64)

Another way to implement a similar arrangement is called [TOTP](https://en.wikipedia.org/wiki/Time-based_one-time_password). This is what two-factor authentication (Google Authenticator, Steam Guard, etc.) use. The secret key is know to both the device seeking authentication and the server. The challenge key is ever changing yet not flexible: the current time (usually down to about a minute or so). The server and the device both use the commonly known key and the current time to generate a password. The client sends it to the server and the server checks if they match – if they do, then it can know that the client also knows the secret key. Record and replay attacks are ruled out simply by the server checking the current time when it received the authentication request – in a given minute, the chance of guessing the correct reply for a certain key without knowing it for any given time is similarly miniscule as the above example, and the server can simply refuse to accept that key again until it expires.

Card issuers and vendors have taken measures to make sure that contactless cards cannot be cloned. One such measure is the use of a cryptographic chip in the card, which creates a unique code that changes with each transaction.